Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, 22 March 2010

Intruder botox

I'll shortly be releasing to Burp Suite Pro users a new beta version of Burp Intruder, which contains a bunch of frequently-requested enhancements:

You can now configure multiple attacks indepedently in separate tabs (as with Burp Repeater). You can copy attack configurations between tabs, or save configurations for later use.

Payload positioning now uses the same feature-rich editor as other tools, and fully preserves binary/non-printing characters.

There are several new payload sources, including a bit flipper, character frobber and username generator.

The existing simple payload processing options (for encoding, etc.) are replaced with a rules-based processor which can perform arbitrarily many actions, such as match/replace, prefix/suffix, substring, case modification, encoding, decoding and hashing.

All feasible attack configuration options can now be modified during a live attack, and have immediate effect, including the base request template, payloads, grep settings and thread count.

Each attack optionally performs an unmodified baseline request, to enable easy comparison with the results of actual attack requests.

The attack results table contains the same rich functionality as the Proxy history, with a configurable filter, annotation of items with comments and highlights, and a preview pane for quick viewing of requests and responses.

Selected result items can be flagged to be re-requested (e.g. if network errors or timeouts have occurred).

When an attack is configured to follow redirects, all intermediate responses and requests are recorded in the results viewer.

Following the enhancements made to other tools in recent releases, Burp Intruder was starting to look a bit left behind. This upgrade brings Intruder up to the same level of functionality as the rest of the suite, and you will hopefully find it more powerful and easier to use than previously. There are a lot of requested features which didn't make the cut on this occasion, and these will hopefully make an appearance later this year.

Absolutly love burp suite. However there are 2 features which i am dying for!

0: I would love if under the scope tab there was an option to cache a page and an option to edit it, so that that my modified version is surved to the browser whenever it is requested. Very useful for messing with javascript files.

1: already mentioned, but i would also love to option to add additional requests to the intruder and repeater tabs so that step-through wizards can be tested more easily. Maybe to do this, you can multiple requests to a attack and then specify which of the respones you would like to be returned.